Re: [fw-wiz] Query on OS hardening

From: Volker Tanger (
Date: 02/20/03

  • Next message: Loomis, Rip: "RE: [fw-wiz] DNS UDP packets > 512 bytes"
    From: Volker Tanger <>
    Date: Thu, 20 Feb 2003 13:54:17 +0100


    Carson Gaspar wrote:
    > <> wrote:
    >> Quite easy: SSH with distributed keys plus some simple shell scripting.
    >> Main advantage is that you won't need to install anything (fancy) on
    >> the system in question.
    > Ah yes... and how much CPU do you have to spare for SSH session setup
    > (on both the systemn being monitored and your monitoring server)? And
    > how often do you want to collect the data?

    On one of the instances I am running the check interval varies 1-5
    minutes depending on service, averaging at a bit less than 3 minutes.
    Overall load on the management server (P2/400 with 128MB) is 0.1
    (uptime) with >100 service checks via SSH. CPU idle (vmstat) averages at 92%

    So, yes you are right, you'll have to have an eye on your ressources.
    But as long as the central server is basically idling and your checked
    machines do the same, I see no problems here.

    I tried to run a compromise in older version of ASLCceck where multiple
    checks were done within in one single SSH session. But with too much
    idle CPU power to burn in *my* setup I decided to split checks and have
    a separate SSH session for each single check.

    Main advantages:
            - flexibility
            - no (additional) software needed (at all) on the
              machines checked

    Main disadvantage:
            - high(er) CPU and network load on server and client

    So as long as you know what you're doing...

    So thanks for explicitly pointing to that problem - and for this reason
    fowarded to FWTOOLS, too.

    Volker Tanger
    IT-Security Consulting

    discon gmbh
    Wrangelstraße 100
    D-10997 Berlin
    Telefon  (030) 6104-3307
    Telefax  (030) 6104-3461
    firewall-wizards mailing list

    Relevant Pages

    • Re: Trouble with X11 over SSH on Mandriva 2010.0
      ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
    • Re: Apache Software Foundation Server compromised, resecured. (fwd)
      ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
    • Re: FreeBSD Crash without Errors, Warnings, or Panics
      ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
    • Re: restrict ssh access
      ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
    • Re: SSH as root
      ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...